Just noticed that my CSRF protection didn't work


When DI

$container['csrf'] = function ($container) {
    return new \Slim\Csrf\Guard;

It works. I get a “Failed CSRF check!”

But when trying to throw a “Method not allowed” response with

$container['csrf'] = function ($container) {
    $guard = new \Slim\Csrf\Guard();
    $guard->setFailureCallable(function ($request, $response, $next) {
        $request = $request->withAttribute("csrf_status", false);
        return $next($request, $response);
    return $guard;

It seems that i have broken the CSRF protection.

And to test the CSRF I’m using this snipp:


  <form name="csrf_form" action="http://VULNERABLE_APP/csrf.php" method="POST">
    <input type="hidden" name="csrf_param" value="POST_ATTACK">

  <script type="text/javascript">document.csrf_form.submit();</script>

How do I throw a method not allow on CSRF failure?

Do you use the attribute csrf_status anywhere?

The default failure handler returns an errro for you, but with the fail handler you use you will have to return an error yourself.

Check below the default failure handler